In July, the European Court of Justice essentially struck a death blow to the EU-U.S. Privacy Shield, finding it did not provide sufficient restrictions on U.S. public authorities’ ability to access EU data subjects’ information after transfer to the U.S.
Emanating from a complaint lodged by Austrian lawyer and privacy activist Max Schrems, the ruling has significant implications for companies that engage in bulk data processing of data belonging to EU citizens (we’re looking at you, Facebook).
Invalidation of the Privacy Shield has left many industry members scrambling to make sure they aren’t thrown out of compliance, but as shocking as the judgment was, we’ve actually been here before. And there are ways to move forward, as seen in another part of the ruling, by incorporating third-party verification mechanisms into agreements.
Two Strikes So Far
While the headlines focused on the Privacy Shield portion of the ruling, the ECJ did uphold that the EU Commission’s Standard Contractual Clauses (SCCs) can be considered an adequate mechanism for transferring personal data for the EU to the U.S.
In 2015, the ECJ struck down the U.S.-EU Safe Harbor Framework, Privacy Shield’s predecessor in kind, on similar grounds. Now that these administrative schemes have been struck down twice, the question for policy makers becomes, “where do we go from here?”
Most recently, the U.S. Department of Commerce and the European Commission issued a joint statement announcing that they have “initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework,” though they provided few clues as to what this might look like.
Data privacy, data breaches, and information security will undoubtedly continue to be hot-button topics—especially given the growing scale, sophistication and cost of cyber attacks—as well as increasing scrutiny from consumers regarding how and why their data is collected.
The U.S. is actually one of just a few countries that lacks an overarching data privacy law at the national level, instead relying on a dizzying array of state protections that can present headaches for compliance professionals. There have been growing calls to remedy that shortcoming; these calls are almost certain to grow louder and more frequent in the wake of the decision.
As part of its July ruling, the court also posited that while SCCs remain valid, data controllers wishing to export EU citizens’ data must assess whether such agreements can provide effective protections for EU citizens given the laws of the importing country and evaluate the adequacy of individual SCCs as implemented in those jurisdictions. If SCCs are found to be inadequate or deficient on either basis, supervisory authorities must prohibit or suspend the transfers.
For the time being, even businesses operating under SCCs should be wary of the increased scrutiny regulators will likely apply to such agreements given the perceived inadequacy of U.S. privacy protections in EU courts. In light of the global trend towards data privacy, federal privacy protections could support greater transnational reciprocity and facilitate international data commerce for U.S. companies.
To ensure that businesses take more than a “sign-and-forget” approach to privacy obligations, regulators might consider adopting a “trust-but-verify” maturity mechanism similar to that used for the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC).
Requiring independent third-party verification for the new international reciprocity program, as opposed to the self-certification used for Privacy Shield, would provide international regulators with assurances that U.S. companies have implemented controls to provide EU data subjects with equivalent protections to those offered by European law.
Even in the absence of a new federal reciprocity framework, U.S. and EU businesses conducting international data commerce based on SCCs would benefit from adopting a trust-but-verify component into these arrangements.
Relying on self-certifications or sign-and-forget attitudes in privacy compliance leads to increased risks for all parties involved. Third-party verification can help to ensure that transfers made under SCCs will stand up to the increased scrutiny that’s likely to come from supervisory authorities in the near future, and better position companies to adapt with the times.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Melissa Koch, a business and technology lawyer, is co-founder and CEO of InFront Compliance, a next-gen vendor risk management platform provider based in Orlando, Fla., that serves clients in the banking, credit union, fintech, cybersecurity, and defense industries.